fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Office MSGraph Vulnerability Could Lead to Code Execution

Microsoft Office MSGraph Vulnerability Could Lead to Code Execution

Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine.

Because the component can be embedded in most Office documents, an attacker can use it to deliver a malicious payload without the need for special functions.

Legacy code

Tracked as CVE-2021-31939, the security flaw is part of a larger set of security vulnerabilities that researchers at Check Point discovered in MSGraph and reported to Microsoft.

The reason the researchers focused on testing MSGraph for security flaws is that it contains code that is at least 17 years old and has an attack surface that is similar to Microsoft Equation Editor, where bugs fixed in 2017 continue to be heavily exploited to this day.

Also Read: Data Protection Officer Singapore | 10 FAQs

MSGraph editor in Microsoft Excel document
MSGraph editor embedded in a Microsoft Excel document

Details about the vulnerability are lacking at this point, as the bug received an identifier only recently. However, Check Point notes in a report today that CVE-2021-31939 is a use-after-free (UAF).

This type of flaw consists of incorrect use of dynamic memory during program operation and can lead to arbitrary code execution on the system.

According to the researchers, the issue is in a MSGraph file parsing function, which “is commonly used across multiple different Microsoft Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE) and Excel for OSX.”

Check Point’s public disclosure today includes three other security flaws discovered in the Microsoft Office MSGraph component, all of them patched last month:

  • CVE-2021-31174 – out-of-bounds read (OOBR) vulnerability leading to information disclosure in Microsoft Excel (medium severity); affects MSGraph, Office Online, and Microsoft Excel
  • CVE-2021-31178 – integer underflow to out-of-bounds read (OOBR) vulnerability leading to information disclosure (medium severity)
  • CVE-2021-31179 – memory corruption vulnerability leading to remote code execution (high severity)

All the flaws were discovered through fuzzing, a testing technique where code is bombarded with various input to find errors and security vulnerabilities. The exceptions generated this way include crashes and memory leaks that could lead to exploitation.

The researchers say that all four vulnerabilities can be embedded in most Office documents, leaving room for multiple attack scenarios with the vulnerability being triggered once the victim opens a malicious Office file.

“If exploited, the vulnerabilities would grant an attacker the ability to execute malicious code on targets via specially crafted Office documents,” Check Point told BleepingComputer.

Also Read: The DNC Singapore: Looking At 2 Sides Better

“Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook and others” – Check Point

Check Point reported the vulnerabilities to Microsoft on February 28 and three of them were patched last month. CVE-2021-31939 received its tracking identifier at a later date and is scheduled to receive a patch today.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us